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A bit about me... 


* Jeremy Long 
— 15 years information security experience 
— 10 years software development experience 
— SAST enthusiast 
— Contributor to the OWASP Java Encoder Project 
— Lead developer/architect for OWASP dependency-check 


— @ctxt / jeremy.long@owasp.org 
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What are we going to talk about? 


e Why should we care? 

e Patching programs 

e What application teams can do 

* Deep dive into dependency-check 
* Usage scenarios 

* Governance 
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Why should we care? 


CVE-2016-5000 - Apache POI Information Disclosure via 
External Entity Expansion (XXE) 

* CVE-2016-4216 - Adobe XMP Toolkit for Java Information 
Disclosure via External Entity Expansion (XXE) 

CVE-2016-3081 - Remote code execution vulnerability in 
Apache Struts when dynamic method invocation is enabled 
CVE-2015-8103 - Remote code execution vulnerability in 
Jenkins remoting; related to the Apache commons-collections 
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Black Duck - Open Source Security Analysis 


* The State of Open Source Security in Commercial Applications 


— https://info.blackducksoftware.com/rs/872-OLS- 


526/images/OSSAReportFINAL. pdf 
e 95% of applications include open source 
* 6796 of applications contained open source vulnerabilities 
* Average age of open source vulnerability identified: 1,894 days 
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OWASP Top 10 2013 


* Most critical web application risks 
e A9 — Using components with known vulnerabilities 
— Prevalence: Widespread 
— Detectability: Difficult 
* Difficult for 4 reasons 
— Awareness 
— Visibility 
— Lack of tooling in 2012/2013 


Patching Programs 


* Generally do not cover application dependencies 
— Lack of awareness of 3 party or FOSS application dependencies 
— Patching teams cannot push patches 
e Patching application dependencies requires 
— Possible code changes 
— Full regression testing 
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Enter OWASP dependency-check 


Project stated December 2011 (first published in 2012) 
Performs Software Composition Analysis 

— Reports known vulnerabilities 

Easy solution to the OWASP 2013 Top 10 A9 Using components 
with known vulnerabilities 


* Works as: 
— Maven Plugin — Jenkins Plugin — Ant Task 
— Gradle Plugin — SBT Plugin — Command Line 
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Language/Technology Support 


Fully supported: Java & .NET 
Experimental Analyzers: 

— CocoaPods 

— Swift Package Manager 

— Python 


— PHP (composer) 


— Node.js 
— Ruby 
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OWASP dependency-check 


HOW DOES IT WORK? 
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Vulnerability Data Source 


* National Vulnerability Database (NVD) 
— https://nvd.nist.gov 


Contains a listing of Common Vulnerability and Exposures (CVE) 
* Each CVE entry contains 


— A description of the vulnerability or exposure 


— A Common Vulnerability Scoring System (CVSS) score 


— A list of the affected platforms identified by their Common Platform 
Enumeration (CPE) 
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Library Identification 


e Reporting on known/published vulnerabilities requires the 
correct identification of the libraries used 
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Library Identification Problems 


* Development & Security use different identifiers 
* Development (GAV coordinates): 
— org.springframework:spring-core:3.2.0. RELEASE 
* Security uses Common Platform Enumeration (CPE): 


— cpe:/a:springsource:spring framework:3.2.0 


— cpe:/a:pivotal:spring framework:3.2.0 
— cpe:/a:pivotal software:spring framework:3.2.0 
No publicly available database exists to map between the two 
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Evidence Based Identification 


* Evidence is extracted from dependencies 

— File name, manifest, POM, package names, etc. 

— Evidence is grouped into Vendor, Product, and Version collections 
* Local copy of the NVD CVE is maintained 
* Lucene Index of the CPE information is created 


* Evidence collected is used to search the index and identify the 
library by CPE 
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Evidence Based Identification Issues 


e False Positives 


— Evidence extracted may cause incorrect identification 


* False Negatives 


— If key elements are not included in the dependency (e.g. jar, dll) the 
library will not be identified and may result in un-reported risk 
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Dealing with False Positives 


e Invalid dependency identification can be resolved using a 
suppression file: 


«suppress» 
«notes»«! [CDATA[ 
This suppresses false positives identified on spring security. 
]]></notes> 
«gav regex="true">org\.springframework\.security: spring. *</gav> 
<cpe>cpe: /a:mod_security:mod_security</cpe> 
«cpe»cpe:/a:springsource:spring framework«/cpe» 
«cpe»cpe:/a:vmware:springsource spring framework«/cpe» 
«/suppress» 
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USING DEPENDENCY-CHECK 
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Onboarding an Application 


* Basic steps 
— Configure plugin 
* Proxy configuration 
— Run initial scan 
— Create and configure a suppression file (if needed) 
— Plan the upgrade for identified vulnerable components 
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Use Cases for dependency-check 


* Prove the existence of the problem 
* Baseline test when conducting POCs with commercial solutions 


e OWASP dependency-check is used as the primary tool to 
identify known vulnerable components 
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Enterprise Deployments 


* Use acentralized database to maintain the local copy of the NVD 
— Single instance of dependency-check used to update 
— Scanning instances do not need to update 

* Use an internal Nexus instead of Maven Central 

e Run dependency-check within their Cl 


* Continuous monitoring/reporting using OWASP dependency- 
check sonar plugin, OWASP dependency-track, or ThreadFix 
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Vulnerable Dependencies as Code Quality 


* Fail a build if known vulnerabilities are detected 
— Jenkins, gradle, maven, ant plugins 


e Put security into your code quality metrics 
— OWASP dependency-check sonar plugin 
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Governance 


e Known vulnerable dependencies are only one part of the 
software composition problem 


* Organizations should: 


— Control what dependencies are allowed 
* Cleared by architecture, legal, and security reviews 
* Must be easy/quick to engage the governance process 
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QUESTIONS? 
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More Information 


e OWASP dependency-check 


— http://jeremylong.github.io/DependencyCheck/ 


e OWASP dependency-track 


— https://github.com/stevespringett/dependency-track 


e OWASP dependency-check-sonar-plugin 


— https://github.com/stevespringett/dependency-check-sonar-plugin 
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More Information 


* Related Projects 
— Ruby Bundler-Audit 
— Retire.js 


— Node Security Project 
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